Understanding Home Directories

Chrisan · March 20, 2025, 3:03pm

Quick question for the experts as I try to increase my understanding. I have a user in TrueNAS Scale(V Dragonfish-24.04.2.5) lets call him USERNAME. When I look at his credentials I see a “home directory” of /mnt/Pool_1/USERNAME. I know this directory exists because I can attach to it from Windows File Explorer. So my question is should USERNAME show up as a dataset on the datasets tab. In my case it does not. Expected behavior?

Johnny_Fartpants · March 20, 2025, 3:16pm

Hi,

By default no, home directories are directories not datasets so won’t be listed on that screen.

If we’re taking SMB then I’m fairly sure you can configure it so that a dataset is created when users authenticate for the first time but that’s a different conversation.

Chrisan · March 20, 2025, 3:35pm

OK, that’s good info. The only way I can navigate to /mnt/Pool_1/USERNAME through Windows is to set up an SMB at the pool level, which I understand is not best practice. I can set up SMB at the dataset level and navigate to it with the Pool_1 SMB disabled. Armed with this info I’m going to need to move some data around and figure out what to do with home directory. Having a hard time finding good documentation on the purpose of the home directory.

Johnny_Fartpants · March 20, 2025, 3:52pm

So what are you trying to achieve?

Are you after a one stop shop where you can point users to and it auto create them a folder/dataset but you as the administrator wish to retain access to all the data so that you can access via an SMB mount?

Chrisan · March 20, 2025, 5:14pm

Thank you for asking. This is a very simple one person NAS for me. I wanted 3 mappings to Windows File Explorer for Music, Backups and Picture mapped to M,N and O drives respectively.

I originally set this up like this:
mnt/Pool_1/username/Music
mnt/Pool_1/username/Backups
mnt/Pool_1/username/Pictures
Where username is a directory. Required SMB at pool level. It worked.

Later I installed Plex and somehow messed up my permissions. I finally just uninstalled Plex and will worry about it later. But I still have this SMB at the pool level, which I have come to learn is not best practice. I decided to create a dataset to use and move my data there. So I am working towards:

mnt/Pool_1/user_files/Music
mnt/Pool_1/user_files/Backups
mnt/Pool_1/user_files/Pictures
Where user_files is a dataset. No pool level SMB required.

Looks like I have a lot more control over a dataset than some directory.
Thx

Johnny_Fartpants · March 20, 2025, 5:19pm

Having a dataset per share works well for most people and good standard practice.

juliejohn · March 24, 2025, 8:14pm

Johnny, what you describe here sounds like what I am trying to achieve. I want to have regular home directories where each user can only see and edit their own. But I also wish to have an auditor group whose users can see and edit all the user home directories for everyone. I have tried several ways with varying degrees of success, but have never gotten this to fully work. I am trying to keep to the motto that TrueNas is an appliance, and tinkering around with the command line is not encouraged. Especially having to do that once every three months when a new employee is hired and I forgot what I did. Thanks.

awalkerix · March 24, 2025, 8:56pm

Step 1 (User share)
Create a single dataset and share (Users share):
Pool_1/user_files and use the SMB share preset in the dataset creation form (create share while you’re at it). Using the Dataset preset makes it so that permissions are automatically set such that any local user can write to the share.

Then modify the share so that it has the purpose “Private datasets and shares”.
This makes it so that anyone who accesses the share gets chrooted into their own ZFS dataset that is automatically created when they access the share.

Step 2 (Admin share):
Create a second share “Admin share” pointing to /mnt/Pool_1/user_files that does not have that preset.

Then set an SMB Share (not filesystem) ACL that restricts access to the Admin share to your admin users group.

Result:
When the regular user “bob” accesses the “User share” a ZFS dataset Pool_1/user_files/bob is created and the share’s root will be /mnt/Pool_1/user_files/bob

When the admin user “larry” accesses the “User share” a ZFS dataset Pool_1/user_files/larry is created and the share’s root will be /mnt/Pool_1/user_files/larry.

When the admin user “larry” accesses the “Admin share”, the share’s root will be /mnt/Pool_1/user_files and everyone’s datasets will be visible.

When the regular user “bob” tries to access the “Admin share”, his access will be blocked by the SMB share ACL.

Johnny_Fartpants · March 24, 2025, 8:59pm

Well said. Is there anyway to auto generate a quota per user/dataset to ensure a rogue user doesn’t gobble up all the space?

awalkerix · March 24, 2025, 9:03pm

Yes. I plan to rework backend APIs to expose more features based on the share’s purpose. That said, I personally think using a soft admin hammer of telling the user “stop doing that” is better than imposing dataset quota (which can have pool-wide performance impact when it’s hit).

Johnny_Fartpants · March 24, 2025, 9:11pm

Yeah sounds nice but can’t see that approach working at my place

awalkerix · March 24, 2025, 9:17pm

Depends on the scale of the environment. Otherwise I wrote up a few variations of this in the past:

github.com/truenas/samba

source3/modules/vfs_zfs_core.c

30b6c3300


      
          		return -1;
          	}
          
          	/*
          	 * Check if we need to automatically create a new ZFS dataset
          	 * before falling through to SMB_VFS_NEXT_CONNECT.
          	 */
          	config->zfs_auto_create = lp_parm_bool(SNUM(handle->conn),
          			"zfs_core", "zfs_auto_create", false);
          
          	config->dataset_auto_quota = lp_parm_const_string(SNUM(handle->conn),
          			"zfs_core", "dataset_auto_quota", NULL);
          
          	if (config->zfs_auto_create) {
          		ret = create_zfs_connectpath(handle, config, user);
          		if (ret < 0) {
          			return -1;
          		}
          	}
          
          	ret = conn_zfs_init(handle->conn->sconn,

For instance, automatically setting dataset quota on the newly created datasets. Though I think this work we’re doing in upstream ZFS is more interesting:

github.com/openzfs/zfs

Implement default user/group/project quotas including object quotas

master ← ixhamza:NAS-131289

opened 02:22PM - 10 Mar 25 UTC

ixhamza

+2399 -64

### Motivation and Context This change implements default quotas for users,… groups, and projects (including object quotas) by extending concepts from [Solaris' Default Quotas feature](https://docs.oracle.com/cd/E53394_01/html/E54801/gazvb.html#SVZFSgpwey). These defaults guarantee consistent quota enforcement when no per-ID limits are set while ensuring compatibility with existing tools and workflows. This PR is inspired by enhancements proposed in [PR #16283](https://github.com/openzfs/zfs/pull/16283). Fixes: https://github.com/openzfs/zfs/issues/5431. ### Description This change adds default quota properties to `MASTER_NODE_OBJ`, similar to per-ID specific quotas. The functions `zfs_id_overobjquota()` and `zfs_id_overblockquota()` have been updated to enforce default limits when no specific per-ID quotas are set. Kernel interfaces for FreeBSD (user/group quotas) and Linux (project quotas) now reflect default quotas to maintain consistency between visibility and configured limits. The `zfs userspace`, `zfs groupspace`, and `zfs projectspace` commands display default quotas when no per-ID quotas exist. Newly added tests take motivation from existing per-ID quota tests. ### How Has This Been Tested? - CI Testing. - All newly added tests for default quota enforcement and visibility pass successfully. ### Types of changes - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Performance enhancement (non-breaking change which improves efficiency) - [ ] Code cleanup (non-breaking change which makes code smaller or more readable) - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [x] Library ABI change (libzfs, libzfs\_core, libnvpair, libuutil and libzfsbootenv) - [x] Documentation (a change to man pages or other documentation) ### Checklist: - [x] My code follows the OpenZFS [code style requirements](https://github.com/openzfs/zfs/blob/master/.github/CONTRIBUTING.md#coding-conventions). - [x] I have updated the documentation accordingly. - [x] I have read the [**contributing** document](https://github.com/openzfs/zfs/blob/master/.github/CONTRIBUTING.md). - [x] I have added [tests](https://github.com/openzfs/zfs/tree/master/tests) to cover my changes. - [ ] I have run the ZFS Test Suite with this change applied. - [x] All commit messages are properly formatted and contain [`Signed-off-by`](https://github.com/openzfs/zfs/blob/master/.github/CONTRIBUTING.md#signed-off-by).

Nordlicht-13 · March 24, 2025, 9:37pm

For better understanding the homefolders you can watch this YouTube video:

It’s already some years old, but it’s explains the user and group management with homefolders good.

juliejohn · March 24, 2025, 10:32pm

Thank you guys!

Summary:
Used awalkerix’s steps. It almost worked. All users tested can create, modify, and delete files in their own private home directory.

The admin user can access the directory names but cannot go into the home directories of other users.

Everything I’m working on is just for testing at this stage, so I can create and delete anything with impunity.

Details:

Current setup has a parent dataset called data and the home directory dataset is called home3.
I have two SMB shares to home3: home3 and home3admin. I have a group called home3admin with ruby in it.
ruby can access her private home directory.
ruby is in the home3admin group.
The home3admin SMB share’s Share ACL has Permission Full for home3admin group.
The home3admin SMB share’s Filesystem ACL - I added full control for home3admin group.
ruby cannot enter richard’s private home directory.

Obviously I have something misconfigured.

Johnny_Fartpants · March 24, 2025, 10:56pm

Is your admin user a member of a group that has full control over the parent dataset you created for your Home Shares?

home3admin group needs access (I’d suggest full control) over the home3 dataset.

As this is a test you may want to delete the newly created sub-datasets and start again making sure home3admin group has full control over the home3 dataset.

juliejohn · March 24, 2025, 11:19pm

Thanks, Johnny_Fartpants.

Yes, home3admin group already had full control over home3 dataset. And ruby was a member of home3admin group.

So I just ALSO gave home3admin group full control over the home3 dataset’s parent dataset which is called data, but that didn’t fix things.

The upshot is ruby still can’t get into richard’s home directory.

awalkerix · March 25, 2025, 2:21am

Note my example was not to set home directories. Typically on a NAS there is absolutely no reason to set a user’s home directory. Your regular users shouldn’t have shell access.

Johnny_Fartpants · March 25, 2025, 11:07am

I think @juliejohn is trying to create an environment where users essentially have a private SMB share which is often referred to as a home directory which can be misleading.

Anyway @juliejohn I have this working well so let me try to explain.

This is what my ‘home3’ dataset looks like and it’s essentially just the defaults with nothing changed. Make sure when you create this dataset you select ‘SMB’ as the preset and untick ‘Create SMB Share’ as we will do that step next.

I have then created two shares pointed at this dataset. One ‘home3’ using the ‘Private SMB Datasets and Shares’ preset and the other ‘home3admin’ using ‘Default share parameters’.

Finally I’ve edited the Share ACL on ‘home3admin’ to only allow the ‘builtin_administrators’ group access.

The key to all this is that my admin user (ruby in your case) is a member of the ‘builtin_administrators’ group otherwise this won’t work. You don’t have to use this group but it does make things much simpler and means you don’t have to change the dataset ACL as it already works out of the box.

I hope this helps.

juliejohn · March 25, 2025, 4:46pm

Thank you, Johnny_Fartpants!

Turned off SMB.
Deleted existing home3 dataset.
Created home3new dataset per your specifications.
Received warning about Parent ACL, chose Return to Pool List.
Created share home3new for normal users
Created share home3newadmin for admin users
Gave builtin_administrators rights to the admin share
Added ruby to builtin_administrators group
Created home dir for richard in home3new
Turned on SMB.
Connected via workstation SMB as richard to home3new
Able to add, change, and delete files.
Not able to get into home3newadmin as expected.
Connected via workstation SMB as ruby to home3newadmin
Able to see the richard folder.
Not able to go into it. I expected to be able to do this.

I appreciate your help!

juliejohn · March 25, 2025, 4:48pm

Sorry about the grid layout, it’s my first time doing images. They are numbered in the filename.